1// Schema lifecycle: experimental | stable | deprecated
 2@status("experimental")
 3package gemara
 4
 5@go(gemara)
 6
 7// EnforcementLog records actions taken in response to noncompliance findings from Layer 5 evaluations.
 8#EnforcementLog: {
 9	#Log
10	metadata: type: "EnforcementLog"
11	// disposition is the aggregate enforcement disposition across all actions in this log
12	disposition: #Disposition
13	// actions is the list of enforcement actions performed
14	actions: [#ActionLog, ...#ActionLog] @go(Actions,type=[]*ActionLog)
15	// Enforce that Clear dispositions only contain Passed assessment results
16	actions: [...{
17		if disposition == "Clear" {
18			justification: assessments: [...{result: "Passed"}]
19		}
20	}]
21}
22
23// ActionLog captures a performed enforcement action.
24#ActionLog: {
25	// disposition is the enforcement action taken
26	disposition: #Disposition @go(Disposition)
27
28	// method references the specific AcceptedMethod entry within the Policy being enforced
29	method: #EntryMapping @go(Method)
30
31	// message provides additional context about the action
32	message?: string @go(Message,type=*string)
33
34	// start is the timestamp when the enforcement action began
35	start: #Datetime
36
37	// end is the timestamp when the enforcement action concluded
38	end?: #Datetime
39
40	// steps references the code paths or addresses that carried out this enforcement action
41	steps: [#EnforcementStep, ...#EnforcementStep]
42
43	// justification links the action to its assessment findings and any applicable exceptions
44	justification: #Justification @go(Justification)
45}
46
47// EnforcementStep is a reference to the code that performed an enforcement action
48#EnforcementStep: string @go(-)
49
50// Justification provides the assessment data and exception references that justify an enforcement action.
51#Justification: {
52	// assessments links the action to one or more Assessment Findings
53	assessments: [#AssessmentFinding, ...#AssessmentFinding] @go(Assessments)
54
55	// exceptions references approved Policy exceptions that authorize the action
56	exceptions?: [#ArtifactMapping, ...#ArtifactMapping] @go(Exceptions)
57}
58
59// AssessmentFinding maps an enforcement action to its originating assessment data across Layer 2, Layer 3, and Layer 5.
60#AssessmentFinding: {
61	// result is the assessment outcome that triggered the enforcement action
62	result: #Result
63
64	// requirement maps to the Layer 2 assessment requirement that was evaluated
65	requirement?: #EntryMapping @go(Requirement)
66
67	// plan maps to the Policy assessment plan that was executed
68	plan?: #EntryMapping @go(Plan)
69
70	// log maps to the EvaluationLog entry containing the finding
71	log: #EntryMapping @go(Log)
72}
73
74// Disposition enumerates the possible enforcement outcomes.
75#Disposition:
76	// Enforcement outcome could not be determined.
77	"Undetermined" |
78	// Findings existed and actions were taken.
79	"Enforced" |
80	// Findings existed but were accepted without action.
81	"Tolerated" |
82	// No findings, nothing to act on.
83	"Clear" @go(-)